Case Study

Communications Provider Gains Exceptional Up-time and Security through Virtualization

Background

Our customer, who is a leading expert in the telecommunications industry, approached NetworX IT with a unique challenge – how can they secure, scale, and backup their network as they engage in a rapid expansion of their business.

Their priorities were: Keeping their customers’ data private, keeping up with data compliance and regulations, and securing their network from possible attacks and leakage.

When they decided to build the new office for their subsidiary – a new office with over 300 employees – they were seeking the best possible solution for setting up and managing their office network.

Sagy Langer, the founder and CEO of NetworX IT, studied their needs and unique challenges and together with the NetworX team, they proposed an elegant, efficient and secure structure for their IT needs. The project turned from planning to fruition in record time and the network is managed and maintained flawlessly, allowing them to focus on their business instead of their technology.

The IT challenges:

  • Built a new subsidiary office for 300 employees, which required designing a complete IT infrastructure.
  • The new campus needed: controlled internet access, user management, e-mail services, printing management, and secured file sharing and storage.
  • A big challenge was the site’s location, which had lots of connectivity issues.
  • The customer was seeking an integrated, single-sourced IT systems solution that is secure and easy to manage.

Post-implementation outcomes:

  • After studying the requirements, NetworX administered a total IT systems solution that was seamlessly integrated at the new campus. The solution’s integrity has been integral to the continued success and growth at the new campus.
  • NetworX worked closely with the client and provided an IT environment that was secure, tightly controlled, adaptable to future changes, and easy to manage.
  • The newly implemented and well designed IT architecture increased productivity across all departments.
  • The network solution was implemented on time and exceeded client's expectations.

In-depth Technical Specifications, custom designed for the clients needs:

To meet all of the requirements and allow for future growth an onsite virtualized environment hosting Windows servers was chosen.

Network: a UTM Firewall in high-availability with 2 TOR 10GbE switches, which connected to other deployed on-campus switches, was installed. These 2 switches carried all vLANs in a load balancing way where each switch has half of the vLANs active and the other half on standby. If one switch fails, the standby vLANs becomes active on the good switch. The switches were also configured with trunk ports utilizing 20Gbps links between them for high reliability and performance.

As most users were connecting over wireless, 2 wireless Access Controllers for high-availability were installed and allowed for 15 access points that covered the entire campus. Security was an essential aspect in the design, and so the network was divided into different segments. Each department had their own network segment and one network segment was used solely for all the network resources like servers and printers.

We installed an isolated management network that exists only on network resources such as servers and appliances. This network is not accessible from the LAN and is only used for administering the environment. It has very strict rules that limit protocols and traffic. Management tasks are limited to "management workstations", to which administrators have access to with an alternate set of credentials. This minimizes errors done by administrators while using their admin accounts on their day-to-day computers.

At the edge of the network, we installed a next-gen firewall by Fortinet. This firewall controls and secures all traffic between the LAN, the DMZ, and Internet. It is also tied to the backend servers, such as the Active Directory (AD) servers, to allow or block access to websites and applications. For example, members of the Marketing AD group could browse the company's social media sites whereas the rest of the employees could not. The Fortigate device also serves as a VPN concentrator, allowing remote users to VPN into the office. The permissions to login are set by users' membership in specific AD security groups and each user "lands" on their relevant vLAN after connecting.

Virtualization: VMWare was chosen for the virtualization platform. A HP blade system enclosure with 16 blades was purchased. Each blade housed dual-CPUs with 12 cores each, a hefty amount of RAM, and 2 two-port Flex 10GbE network cards running VMWare ESXi hypervisor. The Flex network cards combined with the FlexConnect switches provided 4 ports of 10GbE, each of which could be subdivided into "slots of bandwidth" to serve different purposes. This allowed for allocating enough bandwidth for network traffic going in and out of the enclosure without affecting the bandwidth allocated for virtual machine replication.
Storage: A HP SAN device connected with iSCSI to the enclosure was deployed. The device was configured in RAID-10, which provided high fault-tolerance. The storage is being used by VMWare's datastores to hold all the virtual machines' data, the files shares and the company's email.
Servers: The ultimate goal was to have a feature-rich, secured, and centrally managed environment allowing for administrators to make changes and support users without needing to physically possess the users' computers. Windows Server 2016 Standard Edition was deployed with customized roles and features.

An Active Directory was painstakingly designed, resulting in a lean and functional structure that allowed for targeted features deployment and security.

In regards to DNS, queries are not performed against public DNS servers on the Internet. Rather, the DCs that act as DNS servers, run all queries against 2 DNS servers that reside on the DMZ network and are not part of the domain. This allowed for us to minimize the exposure that internal servers have to the Internet. There was extensive use of CName records to better support changes in server names and to minimize downtime.

The DHCP server is responsible for assigning IP addresses to computers in the different vLAN segments. The resource vLAN does not have a DHCP server for security purposes.

For Certificate Authority (CA) we deployed an offline, standalone root CA and a subordinate CA. The root CA is turned off to minimize attacks that can lead to the CA being compromised. Each user and each computer on the domain receives a certificate.

File services: The requirement was to provide file storage locations for users, departments, and teams (users from different departments), as well as a location for all users. In addition, the customer wanted to have folder redirection which saves all the special folders such as Desktop, My Documents, and My Pictures on the server. Windows File Server Resource Manager was used to answer these requirements. The system was designed in a way that allows for an AD administrator to give or revoke users access to folders without touching the file system's NTFS permissions. In short, Admin AD groups were created and given permissions at the file system and share levels. These groups are created when a new share or folder are created and as a general rule, are not changed. Helpdesk personnel do not have access to modify these groups. Another set of AD groups were created that were made member of the first set of groups. Helpdesk allow access to folders by adding users to these groups in an easy and intuitive way.

The "Folder Enumeration" feature was turned on, when applicable, which prevents folders from being displayed to users that do not have permissions to access them.

Lastly, we implemented File Classification Infrastructure (FCI) with user and device claims. It allows an administrator to define classification properties and assign them to folders and files. Later, rules can be defined based on these properties to restrict or allow access to these files based on user attributes. Furthermore, the classification properties play a major role in the organization's Data Leak Prevention (DLP) efforts as Exchange and other system can act on them.

Print services: Printers were defined on a centralized server and deployed through group policy. All printers are networked and access is controlled by a user's AD group membership. There are also printer administrators that can manage all printers.
Email: Exchange 2016 was chosen. Two Exchange servers in a DAG handle the company's email. In addition, we deployed a Barracuda Email Security Gateway (ESG) for spam filtering. All mail flows through the ESG in both directions, before hitting the Exchange and onwards to the Internet. At the initial deployment, the company had an existing mail server from Kerio. We made accommodations to support a transition period where email would first be received by the Kerio server and if the recipient is not found, the Kerio would forward the email to the Exchange. The same occurred in the reverse direction.
Network Protection Server (NPS): RADIUS, which is part of the NPS, plays an important part in authenticating computers (pre-user login) and users, against ADs on the wireless network. Computers are connected to the network before the user performs a login. RADIUS authenticates the computer's account and "lands" it on the computer's relevant vLAN. When the user logs in, RADIUS is utilized in the same way to put it on the user's relevant vLAN again. To clarify, unless a user from one department logs in to a computer that belongs to a different department, the user's and the computer's vLANs are the same.
Backup: for backing up the servers’ virtual machines, we installed a Datto backup appliance. Datto provides snapshot backups at predefined intervals, including ransomware detection, screenshot validation and off-site cloud storage. Another advantage provided by Datto is the ability to spin machines on the Datto device itself or in the cloud, and to access backed up files and folders from the cloud in case the server is inaccessible.
Network Management System: We installed a network management server that reports to a centralized NMS hosted in AWS. The system monitors network equipment, SNMP-based devices, virtual hosts, virtual machines, Windows servers as well as AD groups and file systems. The system sends alerts, scheduled reports and provides highly visual dashboards.